1SLAPD.CONF(5) File Formats Manual SLAPD.CONF(5)
2
6 slapd.conf - configuration file for slapd, the stand-alone LDAP daemon
7
9 /etc/openldap/slapd.conf
10
12 The file /etc/openldap/slapd.conf contains configuration information
13 for the slapd(8) daemon. This configuration file is also used by the
14 SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
15 slapindex(8), and slaptest(8).
16 The slapd.conf file consists of a series of global configuration
18 options that apply to slapd as a whole (including all backends), fol‐
19 lowed by zero or more database backend definitions that contain infor‐
20 mation specific to a backend instance. The configuration options are
21 case-insensitive; their value, on a case by case basis, may be case-
22 sensitive.
23 The general format of slapd.conf is as follows:
25 # comment - these options apply to every database
27 <global configuration options>
28 # first database definition & configuration options
29 database <backend 1 type>
30 <configuration options specific to backend 1>
31 # subsequent database definitions & configuration options
32 ...
33 As many backend-specific sections as desired may be included. Global
35 options can be overridden in a backend (for options that appear more
36 than once, the last appearance in the slapd.conf file is used).
37 If a line begins with white space, it is considered a continuation of
39 the previous line. No physical line should be over 2000 bytes long.
40 Blank lines and comment lines beginning with a `#' character are
42 ignored. Note: continuation lines are unwrapped before comment pro‐
43 cessing is applied.
44 Arguments on configuration lines are separated by white space. If an
46 argument contains white space, the argument should be enclosed in dou‐
47 ble quotes. If an argument contains a double quote (`"') or a back‐
48 slash character (`\'), the character should be preceded by a backslash
49 character.
50 The specific configuration options available are discussed below in the
52 Global Configuration Options, General Backend Options, and General
53 Database Options. Backend-specific options are discussed in the
54 slapd-<backend>(5) manual pages. Refer to the "OpenLDAP Administra‐
55 tor's Guide" for more details on the slapd configuration file.
56
58 Options described in this section apply to all backends, unless specif‐
59 ically overridden in a backend definition. Arguments that should be
60 replaced by actual text are shown in brackets <>.
61 access to <what> [ by <who> <access> <control> ]+
63 Grant access (specified by <access>) to a set of entries and/or
64 attributes (specified by <what>) by one or more requestors
65 (specified by <who>). If no access controls are present, the
66 default policy allows anyone and everyone to read anything but
67 restricts updates to rootdn. (e.g., "access to * by * read").
68 The rootdn can always read and write EVERYTHING! See
69 slapd.access(5) and the "OpenLDAP's Administrator's Guide" for
70 details.
71 allow <features>
73 Specify a set of features (separated by white space) to allow
74 (default none). bind_v2 allows acceptance of LDAPv2 bind
75 requests. Note that slapd(8) does not truly implement LDAPv2
76 (RFC 1777), now Historic (RFC 3494). bind_anon_cred allows
77 anonymous bind when credentials are not empty (e.g. when DN is
78 empty). bind_anon_dn allows unauthenticated (anonymous) bind
79 when DN is not empty. update_anon allows unauthenticated
80 (anonymous) update operations to be processed (subject to access
81 controls and other administrative limits). proxy_authz_anon
82 allows unauthenticated (anonymous) proxy authorization control
83 to be processed (subject to access controls, authorization and
84 other administrative limits).
85 argsfile <filename>
87 The (absolute) name of a file that will hold the slapd server's
88 command line (program name and options).
89 attributeoptions [option-name]...
91 Define tagging attribute options or option tag/range prefixes.
92 Options must not end with `-', prefixes must end with `-'. The
93 `lang-' prefix is predefined. If you use the attributeoptions
94 directive, `lang-' will no longer be defined and you must spec‐
95 ify it explicitly if you want it defined.
96 An attribute description with a tagging option is a subtype of
98 that attribute description without the option. Except for that,
99 options defined this way have no special semantics. Prefixes
100 defined this way work like the `lang-' options: They define a
101 prefix for tagging options starting with the prefix. That is,
102 if you define the prefix `x-foo-', you can use the option
103 `x-foo-bar'. Furthermore, in a search or compare, a prefix or
104 range name (with a trailing `-') matches all options starting
105 with that name, as well as the option with the range name sans
106 the trailing `-'. That is, `x-foo-bar-' matches `x-foo-bar' and
107 `x-foo-bar-baz'.
108 RFC 4520 reserves options beginning with `x-' for private exper‐
110 iments. Other options should be registered with IANA, see RFC
111 4520 section 3.5. OpenLDAP also has the `binary' option built
112 in, but this is a transfer option, not a tagging option.
113 attributetype ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
115 [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>]
116 [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE]
117 [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
118 Specify an attribute type using the LDAPv3 syntax defined in RFC
119 4512. The slapd parser extends the RFC 4512 definition by
120 allowing string forms as well as numeric OIDs to be used for the
121 attribute OID and attribute syntax OID. (See the
122 objectidentifier description.)
123 authid-rewrite<cmd> <args>
125 Used by the authentication framework to convert simple user
126 names to an LDAP DN used for authorization purposes. Its
127 purpose is analogous to that of authz-regexp (see below). The
128 prefix authid- is followed by a set of rules analogous to those
129 described in slapo-rwm(5) for data rewriting (replace the rwm-
130 prefix with authid-). authid-rewrite<cmd> and authz-regexp
131 rules should not be intermixed.
132 authz-policy <policy>
134 Used to specify which rules to use for Proxy Authorization.
135 Proxy authorization allows a client to authenticate to the
136 server using one user's credentials, but specify a different
137 identity to use for authorization and access control purposes.
138 It essentially allows user A to login as user B, using user A's
139 password. The none flag disables proxy authorization. This is
140 the default setting. The from flag will use rules in the
141 authzFrom attribute of the authorization DN. The to flag will
142 use rules in the authzTo attribute of the authentication DN.
143 The any flag, an alias for the deprecated value of both, will
144 allow any of the above, whatever succeeds first (checked in to,
145 from sequence. The all flag requires both authorizations to
146 succeed.
147 The rules are mechanisms to specify which identities are allowed
149 to perform proxy authorization. The authzFrom attribute in an
150 entry specifies which other users are allowed to proxy login to
151 this entry. The authzTo attribute in an entry specifies which
152 other users this user can authorize as. Use of authzTo rules
153 can be easily abused if users are allowed to write arbitrary
154 values to this attribute. In general the authzTo attribute must
155 be protected with ACLs such that only privileged users can
156 modify it. The value of authzFrom and authzTo describes an
157 identity or a set of identities; it can take five forms:
158 ldap:///<base>??[<scope>]?<filter>
160 dn[.<dnstyle>]:<pattern>
161 u[.<mech>[/<realm>]]:<pattern>
162 group[/objectClass[/attributeType]]:<pattern>
163 <pattern>
164 <dnstyle>:={exact|onelevel|children|subtree|regex}
166 The first form is a valid LDAP URI where the <host>:<port>, the
168 <attrs> and the <extensions> portions must be absent, so that
169 the search occurs locally on either authzFrom or authzTo. The
170 second form is a DN, with the optional style modifiers exact,
171 onelevel, children, and subtree for exact, onelevel, children
172 and subtree matches, which cause <pattern> to be normalized
173 according to the DN normalization rules, or the special regex
174 style, which causes the <pattern> to be treated as a POSIX
175 (''extended'') regular expression, as discussed in regex(7)
176 and/or re_format(7). A pattern of * means any non-anonymous DN.
177 The third form is a SASL id, with the optional fields <mech> and
178 <realm> that allow to specify a SASL mechanism, and eventually a
179 SASL realm, for those mechanisms that support one. The need to
180 allow the specification of a mechanism is still debated, and
181 users are strongly discouraged to rely on this possibility. The
182 fourth form is a group specification, consisting of the keyword
183 group, optionally followed by the specification of the group
184 objectClass and member attributeType. The group with DN
185 <pattern> is searched with base scope, and in case of match, the
186 values of the member attributeType are searched for the asserted
187 DN. For backwards compatibility, if no identity type is
188 provided, i.e. only <pattern> is present, an exact DN is
189 assumed; as a consequence, <pattern> is subjected to DN
190 normalization. Since the interpretation of authzFrom and
191 authzTo can impact security, users are strongly encouraged to
192 explicitly set the type of identity specification that is being
193 used. A subset of these rules can be used as third arg in the
194 authz-regexp statement (see below); significantly, the URI,
195 provided it results in exactly one entry, and the dn.exact:<dn>
196 forms.
197 authz-regexp <match> <replace>
199 Used by the authentication framework to convert simple user
200 names, such as provided by SASL subsystem, or extracted from
201 certificates in case of cert-based SASL EXTERNAL, or provided
202 within the RFC 4370 "proxied authorization" control, to an LDAP
203 DN used for authorization purposes. Note that the resulting DN
204 need not refer to an existing entry to be considered valid.
205 When an authorization request is received from the SASL
206 subsystem, the SASL USERNAME, REALM, and MECHANISM are taken,
207 when available, and combined into a name of the form
208 UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
210 This name is then compared against the match POSIX
212 (''extended'') regular expression, and if the match is
213 successful, the name is replaced with the replace string. If
214 there are wildcard strings in the match regular expression that
215 are enclosed in parenthesis, e.g.
216 UID=([^,]*),CN=.*
218 then the portion of the name that matched the wildcard will be
220 stored in the numbered placeholder variable $1. If there are
221 other wildcard strings in parenthesis, the matching strings will
222 be in $2, $3, etc. up to $9. The placeholders can then be used
223 in the replace string, e.g.
224 UID=$1,OU=Accounts,DC=example,DC=com
226 The replaced name can be either a DN, i.e. a string prefixed by
228 "dn:", or an LDAP URI. If the latter, the server will use the
229 URI to search its own database(s) and, if the search returns
230 exactly one entry, the name is replaced by the DN of that entry.
231 The LDAP URI must have no hostport, attrs, or extensions
232 components, but the filter is mandatory, e.g.
233 ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
235 The protocol portion of the URI must be strictly ldap. Note
237 that this search is subject to access controls. Specifically,
238 the authentication identity must have "auth" access in the
239 subject.
240 Multiple authz-regexp options can be given in the configuration
242 file to allow for multiple matching and replacement patterns.
243 The matching patterns are checked in the order they appear in
244 the file, stopping at the first successful match.
245 concurrency <integer>
248 Specify a desired level of concurrency. Provided to the
249 underlying thread system as a hint. The default is not to
250 provide any hint.
251 conn_max_pending <integer>
253 Specify the maximum number of pending requests for an anonymous
254 session. If requests are submitted faster than the server can
255 process them, they will be queued up to this limit. If the limit
256 is exceeded, the session is closed. The default is 100.
257 conn_max_pending_auth <integer>
259 Specify the maximum number of pending requests for an
260 authenticated session. The default is 1000.
261 defaultsearchbase <dn>
263 Specify a default search base to use when client submits a non-
264 base search request with an empty base DN. Base scoped search
265 requests with an empty base DN are not affected.
266 disallow <features>
268 Specify a set of features (separated by white space) to disallow
269 (default none). bind_anon disables acceptance of anonymous bind
270 requests. Note that this setting does not prohibit anonymous
271 directory access (See "require authc"). bind_simple disables
272 simple (bind) authentication. tls_2_anon disables forcing
273 session to anonymous status (see also tls_authc) upon StartTLS
274 operation receipt. tls_authc disallows the StartTLS operation
275 if authenticated (see also tls_2_anon).
276 proxy_authz_non_critical disables acceptance of the proxied
277 authorization control (RFC4370) when criticality is FALSE.
278 dontusecopy_non_critical disables acceptance of the dontUseCopy
279 control (a work in progress) when criticality is FALSE.
280 ditcontentrule ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
282 [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
283 Specify an DIT Content Rule using the LDAPv3 syntax defined in
284 RFC 4512. The slapd parser extends the RFC 4512 definition by
285 allowing string forms as well as numeric OIDs to be used for the
286 attribute OID and attribute syntax OID. (See the
287 objectidentifier description.)
288 gentlehup { on | off }
290 A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
291 Slapd will stop listening for new connections, but will not
292 close the connections to the current clients. Future write
293 operations return unwilling-to-perform, though. Slapd
294 terminates when all clients have closed their connections (if
295 they ever do), or - as before - if it receives a SIGTERM signal.
296 This can be useful if you wish to terminate the server and start
297 a new slapd server with another database, without disrupting the
298 currently active clients. The default is off. You may wish to
299 use idletimeout along with this option.
300 idletimeout <integer>
302 Specify the number of seconds to wait before forcibly closing an
303 idle client connection. A idletimeout of 0 disables this
304 feature. The default is 0. You may also want to set the
305 writetimeout option.
306 include <filename>
308 Read additional configuration information from the given file
309 before continuing with the next line of the current file.
310 index_intlen <integer>
312 Specify the key length for ordered integer indices. The most
313 significant bytes of the binary integer will be used for index
314 keys. The default value is 4, which provides exact indexing for
315 31 bit values. A floating point representation is used to index
316 too large values.
317 index_substr_if_minlen <integer>
319 Specify the minimum length for subinitial and subfinal indices.
320 An attribute value must have at least this many characters in
321 order to be processed by the indexing functions. The default is
322 2.
323 index_substr_if_maxlen <integer>
325 Specify the maximum length for subinitial and subfinal indices.
326 Only this many characters of an attribute value will be
327 processed by the indexing functions; any excess characters are
328 ignored. The default is 4.
329 index_substr_any_len <integer>
331 Specify the length used for subany indices. An attribute value
332 must have at least this many characters in order to be
333 processed. Attribute values longer than this length will be
334 processed in segments of this length. The default is 4. The
335 subany index will also be used in subinitial and subfinal index
336 lookups when the filter string is longer than the
337 index_substr_if_maxlen value.
338 index_substr_any_step <integer>
340 Specify the steps used in subany index lookups. This value sets
341 the offset for the segments of a filter string that are
342 processed for a subany index lookup. The default is 2. For
343 example, with the default values, a search using this filter
344 "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
345 and "efgh".
346 Note: Indexing support depends on the particular backend in use. Also,
349 changing these settings will generally require deleting any indices
350 that depend on these parameters and recreating them with slapindex(8).
351 ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )
354 Specify an LDAP syntax using the LDAPv3 syntax defined in RFC
356 4512. The slapd parser extends the RFC 4512 definition by
357 allowing string forms as well as numeric OIDs to be used for the
358 syntax OID. (See the objectidentifier description.) The slapd
359 parser also honors the X-SUBST extension (an OpenLDAP-specific
360 extension), which allows to use the ldapsyntax statement to
361 define a non-implemented syntax along with another syntax, the
362 extension value substitute-syntax, as its temporary replacement.
363 The substitute-syntax must be defined. This allows to define
364 attribute types that make use of non-implemented syntaxes using
365 the correct syntax OID. Unless X-SUBST is used, this
366 configuration statement would result in an error, since no
367 handlers would be associated to the resulting syntax structure.
368 listener-threads <integer>
371 Specify the number of threads to use for the connection manager.
372 The default is 1 and this is typically adequate for up to 16 CPU
373 cores. The value should be set to a power of 2.
374 localSSF <SSF>
376 Specifies the Security Strength Factor (SSF) to be given local
377 LDAP sessions, such as those to the ldapi:// listener. For a
378 description of SSF values, see sasl-secprops's minssf option
379 description. The default is 71.
380 logfile <filename>
382 Specify a file for recording debug log messages. By default
383 these messages only go to stderr and are not recorded anywhere
384 else. Specifying a logfile copies messages to both stderr and
385 the logfile.
386 loglevel <integer> [...]
388 Specify the level at which debugging statements and operation
389 statistics should be syslogged (currently logged to the
390 syslogd(8) LOG_LOCAL4 facility). They must be considered
391 subsystems rather than increasingly verbose log levels. Some
392 messages with higher priority are logged regardless of the
393 configured loglevel as soon as any logging is configured. Log
394 levels are additive, and available levels are:
395 1 (0x1 trace) trace function calls
396 2 (0x2 packets) debug packet handling
397 4 (0x4 args) heavy trace debugging (function args)
398 8 (0x8 conns) connection management
399 16 (0x10 BER) print out packets sent and received
400 32 (0x20 filter) search filter processing
401 64 (0x40 config) configuration file processing
402 128 (0x80 ACL) access control list processing
403 256 (0x100 stats) connections, LDAP operations,
404 results (recommended)
405 512 (0x200 stats2) stats log entries sent
406 1024 (0x400 shell) print communication with shell
407 backends
408 2048 (0x800 parse) entry parsing
409 16384 (0x4000 sync) LDAPSync replication
418 32768 (0x8000 none) only messages that get logged
419 whatever log level is set
420 The desired log level can be input as a single integer that
421 combines the (ORed) desired levels, both in decimal or in
422 hexadecimal notation, as a list of integers (that are ORed
423 internally), or as a list of the names that are shown between
424 brackets, such that
425 loglevel 129
427 loglevel 0x81
428 loglevel 128 1
429 loglevel 0x80 0x1
430 loglevel acl trace
431 are equivalent. The keyword any can be used as a shortcut to
433 enable logging at all levels (equivalent to -1). The keyword
434 none, or the equivalent integer representation, causes those
435 messages that are logged regardless of the configured loglevel
436 to be logged. In fact, if loglevel is set to 0, no logging
437 occurs, so at least the none level is required to have high
438 priority messages logged.
439 The loglevel defaults to stats. This level should usually also
441 be included when using other loglevels, to help analyze the
442 logs.
443 moduleload <filename>
445 Specify the name of a dynamically loadable module to load. The
446 filename may be an absolute path name or a simple filename. Non-
447 absolute names are searched for in the directories specified by
448 the modulepath option. This option and the modulepath option are
449 only usable if slapd was compiled with --enable-modules.
450 modulepath <pathspec>
452 Specify a list of directories to search for loadable modules.
453 Typically the path is colon-separated but this depends on the
454 operating system. The default is /usr/lib64/openldap, which is
455 where the standard OpenLDAP install will place its modules.
456 objectclass ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
458 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }]
459 [MUST <oids>] [MAY <oids>] )
460 Specify an objectclass using the LDAPv3 syntax defined in RFC
461 4512. The slapd parser extends the RFC 4512 definition by
462 allowing string forms as well as numeric OIDs to be used for the
463 object class OID. (See the objectidentifier description.)
464 Object classes are "STRUCTURAL" by default.
465 objectidentifier <name> { <oid> | <name>[:<suffix>] }
467 Define a string name that equates to the given OID. The string
468 can be used in place of the numeric OID in objectclass and
469 attribute definitions. The name can also be used with a suffix
470 of the form ":xx" in which case the value "oid.xx" will be used.
471 password-hash <hash> [<hash>...]
473 This option configures one or more hashes to be used in
474 generation of user passwords stored in the userPassword
475 attribute during processing of LDAP Password Modify Extended
476 Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
477 {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
478 {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the
480 latter with a seed.
481 {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
483 with a seed.
484 {CRYPT} uses the crypt(3).
486 {CLEARTEXT} indicates that the new password should be added to
488 userPassword as clear text.
489 Note that this option does not alter the normal user
491 applications handling of userPassword during LDAP Add, Modify,
492 or other LDAP operations.
493 password-crypt-salt-format <format>
495 Specify the format of the salt passed to crypt(3) when
496 generating {CRYPT} passwords (see password-hash) during
497 processing of LDAP Password Modify Extended Operations (RFC
498 3062).
499 This string needs to be in sprintf(3) format and may include one
501 (and only one) %s conversion. This conversion will be
502 substituted with a string of random characters from
503 [A-Za-z0-9./]. For example, "%.2s" provides a two character
504 salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
505 algorithm and provides 8 random characters of salt. The default
506 is "%s", which provides 31 characters of salt.
507 pidfile <filename>
509 The (absolute) name of a file that will hold the slapd server's
510 process ID (see getpid(2)).
511 referral <url>
513 Specify the referral to pass back when slapd(8) cannot find a
514 local database to handle a request. If specified multiple
515 times, each url is provided.
516 require <conditions>
518 Specify a set of conditions (separated by white space) to
519 require (default none). The directive may be specified globally
520 and/or per-database; databases inherit global conditions, so
521 per-database specifications are additive. bind requires bind
522 operation prior to directory operations. LDAPv3 requires
523 session to be using LDAP version 3. authc requires
524 authentication prior to directory operations. SASL requires
525 SASL authentication prior to directory operations. strong
526 requires strong authentication prior to directory operations.
527 The strong keyword allows protected "simple" authentication as
528 well as SASL authentication. none may be used to require no
529 conditions (useful to clear out globally set conditions within a
530 particular database); it must occur first in the list of
531 conditions.
532 reverse-lookup on | off
534 Enable/disable client name unverified reverse lookup (default is
535 off if compiled with --enable-rlookups).
536 rootDSE <file>
538 Specify the name of an LDIF(5) file containing user defined
539 attributes for the root DSE. These attributes are returned in
540 addition to the attributes normally produced by slapd.
541 The root DSE is an entry with information about the server and
543 its capabilities, in operational attributes. It has the empty
544 DN, and can be read with e.g.:
545 ldapsearch -x -b "" -s base "+"
546 See RFC 4512 section 5.1 for details.
547 sasl-auxprops <plugin> [...]
549 Specify which auxprop plugins to use for authentication lookups.
550 The default is empty, which just uses slapd's internal support.
551 Usually no other auxprop plugins are needed.
552 sasl-host <fqdn>
554 Used to specify the fully qualified domain name used for SASL
555 processing.
556 sasl-realm <realm>
558 Specify SASL realm. Default is empty.
559 sasl-secprops <properties>
561 Used to specify Cyrus SASL security properties. The none flag
562 (without any other properties) causes the flag properties
563 default, "noanonymous,noplain", to be cleared. The noplain flag
564 disables mechanisms susceptible to simple passive attacks. The
565 noactive flag disables mechanisms susceptible to active attacks.
566 The nodict flag disables mechanisms susceptible to passive
567 dictionary attacks. The noanonymous flag disables mechanisms
568 which support anonymous login. The forwardsec flag require
569 forward secrecy between sessions. The passcred require
570 mechanisms which pass client credentials (and allow mechanisms
571 which can pass credentials to do so). The minssf=<factor>
572 property specifies the minimum acceptable security strength
573 factor as an integer approximate to effective key length used
574 for encryption. 0 (zero) implies no protection, 1 implies
575 integrity protection only, 56 allows DES or other weak ciphers,
576 112 allows triple DES and other strong ciphers, 128 allows RC4,
577 Blowfish and other modern strong ciphers. The default is 0.
578 The maxssf=<factor> property specifies the maximum acceptable
579 security strength factor as an integer (see minssf description).
580 The default is INT_MAX. The maxbufsize=<size> property
581 specifies the maximum security layer receive buffer size
582 allowed. 0 disables security layers. The default is 65536.
583 schemadn <dn>
585 Specify the distinguished name for the subschema subentry that
586 controls the entries on this server. The default is
587 "cn=Subschema".
588 security <factors>
590 Specify a set of security strength factors (separated by white
591 space) to require (see sasl-secprops's minssf option for a
592 description of security strength factors). The directive may be
593 specified globally and/or per-database. ssf=<n> specifies the
594 overall security strength factor. transport=<n> specifies the
595 transport security strength factor. tls=<n> specifies the TLS
596 security strength factor. sasl=<n> specifies the SASL security
597 strength factor. update_ssf=<n> specifies the overall security
598 strength factor to require for directory updates.
599 update_transport=<n> specifies the transport security strength
600 factor to require for directory updates. update_tls=<n>
601 specifies the TLS security strength factor to require for
602 directory updates. update_sasl=<n> specifies the SASL security
603 strength factor to require for directory updates.
604 simple_bind=<n> specifies the security strength factor required
605 for simple username/password authentication. Note that the
606 transport factor is measure of security provided by the
607 underlying transport, e.g. ldapi:// (and eventually IPSEC). It
608 is not normally used.
609 serverID <integer> [<URL>]
611 Specify an integer ID from 0 to 4095 for this server (limited to
612 3 hexadecimal digits). The ID may also be specified as a
613 hexadecimal ID by prefixing the value with "0x". These IDs are
614 required when using multimaster replication and each master must
615 have a unique ID. Note that this requirement also applies to
616 separate masters contributing to a glued set of databases. If
617 the URL is provided, this directive may be specified multiple
618 times, providing a complete list of participating servers and
619 their IDs. The fully qualified hostname of each server should be
620 used in the supplied URLs. The IDs are used in the "replica id"
621 field of all CSNs generated by the specified server. The default
622 value is zero. Example:
623 serverID 1
625 sizelimit {<integer>|unlimited}
627 sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
629 Specify the maximum number of entries to return from a search
630 operation. The default size limit is 500. Use unlimited to
631 specify no limits. The second format allows a fine grain
632 setting of the size limits. Extra args can be added on the same
633 line. See limits for an explanation of the different flags.
634 sockbuf_max_incoming <integer>
636 Specify the maximum incoming LDAP PDU size for anonymous
637 sessions. The default is 262143.
638 sockbuf_max_incoming_auth <integer>
640 Specify the maximum incoming LDAP PDU size for authenticated
641 sessions. The default is 4194303.
642 sortvals <attr> [...]
644 Specify a list of multi-valued attributes whose values will
645 always be maintained in sorted order. Using this option will
646 allow Modify, Compare, and filter evaluations on these
647 attributes to be performed more efficiently. The resulting sort
648 order depends on the attributes' syntax and matching rules and
649 may not correspond to lexical order or any other recognizable
650 order.
651 tcp-buffer [listener=<URL>] [{read|write}=]<size>
653 Specify the size of the TCP buffer. A global value for both
654 read and write TCP buffers related to any listener is defined,
655 unless the listener is explicitly specified, or either the read
656 or write qualifiers are used. See tcp(7) for details. Note
657 that some OS-es implement automatic TCP buffer tuning.
658 threads <integer>
660 Specify the maximum size of the primary thread pool. The
661 default is 16; the minimum value is 2.
662 timelimit {<integer>|unlimited}
664 timelimit time[.{soft|hard}]=<integer> [...]
666 Specify the maximum number of seconds (in real time) slapd will
667 spend answering a search request. The default time limit is
668 3600. Use unlimited to specify no limits. The second format
669 allows a fine grain setting of the time limits. Extra args can
670 be added on the same line. See limits for an explanation of the
671 different flags.
672 tool-threads <integer>
674 Specify the maximum number of threads to use in tool mode. This
675 should not be greater than the number of CPUs in the system.
676 The default is 1.
677 writetimeout <integer>
679 Specify the number of seconds to wait before forcibly closing a
680 connection with an outstanding write. This allows recovery from
681 various network hang conditions. A writetimeout of 0 disables
682 this feature. The default is 0.
683
685 If slapd is built with support for Transport Layer Security, there are
686 more options you can specify.
687 TLSCipherSuite <cipher-suite-spec>
689 Permits configuring what ciphers will be accepted and the
690 preference order. <cipher-suite-spec> should be a cipher
691 specification for the TLS library in use (OpenSSL, GnuTLS, or
692 Mozilla NSS). Example:
693 OpenSSL:
695 TLSCipherSuite HIGH:MEDIUM:+SSLv2
696 GnuTLS:
698 TLSCiphersuite SECURE256:!AES-128-CBC
699 To check what ciphers a given spec selects in OpenSSL, use:
701 openssl ciphers -v <cipher-suite-spec>
703 With GnuTLS the available specs can be found in the manual page
705 of gnutls-cli(1) (see the description of the option --priority).
706 In older versions of GnuTLS, where gnutls-cli does not support
708 the option --priority, you can obtain the — more limited — list
709 of ciphers by calling:
710 gnutls-cli -l
712 When using Mozilla NSS, the OpenSSL cipher suite specifications
714 are used and translated into the format used internally by
715 Mozilla NSS. There isn't an easy way to list the cipher suites
716 from the command line. The authoritative list is in the source
717 code for Mozilla NSS in the file sslinfo.c in the structure
718 static const SSLCipherSuiteInfo suiteInfo[]
719 TLSCACertificateFile <filename>
721 Specifies the file that contains certificates for all of the
722 Certificate Authorities that slapd will recognize. The
723 certificate for the CA that signed the server certificate must
724 be included among these certificates. If the signing CA was not
725 a top-level (root) CA, certificates for the entire sequence of
726 CA's from the signing CA to the top-level CA should be present.
727 Multiple certificates are simply appended to the file; the order
728 is not significant.
729 TLSCACertificatePath <path>
731 Specifies the path of a directory that contains Certificate
732 Authority certificates in separate individual files. Usually
733 only one of this or the TLSCACertificateFile is used. This
734 directive is not supported when using GnuTLS.
735 When using Mozilla NSS, <path> may contain a Mozilla NSS
737 cert/key database. If <path> contains a Mozilla NSS cert/key
738 database and CA cert files, OpenLDAP will use the cert/key
739 database and will ignore the CA cert files.
740 TLSCertificateFile <filename>
742 Specifies the file that contains the slapd server certificate.
743 When using Mozilla NSS, if using a cert/key database (specified
745 with TLSCACertificatePath), TLSCertificateFile specifies the
746 name of the certificate to use:
747 TLSCertificateFile Server-Cert
748 If using a token other than the internal built in token, specify
749 the token name first, followed by a colon:
750 TLSCertificateFile my hardware device:Server-Cert
751 Use certutil -L to list the certificates by name:
752 certutil -d /path/to/certdbdir -L
753 TLSCertificateKeyFile <filename>
755 Specifies the file that contains the slapd server private key
756 that matches the certificate stored in the TLSCertificateFile
757 file. Currently, the private key must not be protected with a
758 password, so it is of critical importance that it is protected
759 carefully.
760 When using Mozilla NSS, TLSCertificateKeyFile specifies the name
762 of a file that contains the password for the key for the
763 certificate specified with TLSCertificateFile. The modutil
764 command can be used to turn off password protection for the
765 cert/key database. For example, if TLSCACertificatePath
766 specifes /etc/openldap/certdb as the location of the cert/key
767 database, use modutil to change the password to the empty
768 string:
769 modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
770 You must have the old password, if any. Ignore the WARNING
771 about the running browser. Press 'Enter' for the new password.
772 TLSDHParamFile <filename>
774 This directive specifies the file that contains parameters for
775 Diffie-Hellman ephemeral key exchange. This is required in
776 order to use a DSA certificate on the server. If multiple sets
777 of parameters are present in the file, all of them will be
778 processed. Note that setting this option may also enable
779 Anonymous Diffie-Hellman key exchanges in certain non-default
780 cipher suites. You should append "!ADH" to your cipher suites
781 if you have changed them from the default, otherwise no
782 certificate exchanges or verification will be done. When using
783 GnuTLS these parameters are always generated randomly so this
784 directive is ignored. This directive is ignored when using
785 Mozilla NSS.
786 TLSECName <name>
788 Specify the name of a curve to use for Elliptic curve Diffie-
789 Hellman ephemeral key exchange. This is required to enable
790 ECDHE algorithms in OpenSSL. This option is not used with
791 GnuTLS; the curves may be chosen in the GnuTLS ciphersuite
792 specification. This option is also ignored for Mozilla NSS.
793 TLSProtocolMin <major>[.<minor>]
795 Specifies minimum SSL/TLS protocol version that will be
796 negotiated. If the server doesn't support at least that
797 version, the SSL handshake will fail. To require TLS 1.x or
798 higher, set this option to 3.(x+1), e.g.,
799 TLSProtocolMin 3.2
801 would require TLS 1.1. Specifying a minimum that is higher than
803 that supported by the OpenLDAP implementation will result in it
804 requiring the highest level that it does support. This
805 directive is ignored with GnuTLS.
806 TLSRandFile <filename>
808 Specifies the file to obtain random bits from when
809 /dev/[u]random is not available. Generally set to the name of
810 the EGD/PRNGD socket. The environment variable RANDFILE can
811 also be used to specify the filename. This directive is ignored
812 with GnuTLS and Mozilla NSS.
813 TLSVerifyClient <level>
815 Specifies what checks to perform on client certificates in an
816 incoming TLS session, if any. The <level> can be specified as
817 one of the following keywords:
818 never This is the default. slapd will not ask the client for a
820 certificate.
821 allow The client certificate is requested. If no certificate
823 is provided, the session proceeds normally. If a bad
824 certificate is provided, it will be ignored and the
825 session proceeds normally.
826 try The client certificate is requested. If no certificate
828 is provided, the session proceeds normally. If a bad
829 certificate is provided, the session is immediately
830 terminated.
831 demand | hard | true
833 These keywords are all equivalent, for compatibility
834 reasons. The client certificate is requested. If no
835 certificate is provided, or a bad certificate is
836 provided, the session is immediately terminated.
837 Note that a valid client certificate is required in order
839 to use the SASL EXTERNAL authentication mechanism with a
840 TLS session. As such, a non-default TLSVerifyClient
841 setting must be chosen to enable SASL EXTERNAL
842 authentication.
843 TLSCRLCheck <level>
845 Specifies if the Certificate Revocation List (CRL) of the CA
846 should be used to verify if the client certificates have not
847 been revoked. This requires TLSCACertificatePath parameter to be
848 set. This directive is ignored with GnuTLS and Mozilla NSS.
849 <level> can be specified as one of the following keywords:
850 none No CRL checks are performed
852 peer Check the CRL of the peer certificate
854 all Check the CRL for a whole certificate chain
856 TLSCRLFile <filename>
858 Specifies a file containing a Certificate Revocation List to be
859 used for verifying that certificates have not been revoked. This
860 directive is only valid when using GnuTLS and Mozilla NSS.
861 TLSMozNSSCompatibility <on/true/yes/off/false/no>
863 Specifies whether the MozNSS database compatibility layer for
864 TLS options should be enabled. This options is available only if
865 OpenLDAP is compiled with OpenSSL. This option defaults to be
866 on.
867
869 Options in this section only apply to the configuration file section
870 for the specified backend. They are supported by every type of
871 backend.
872 backend <databasetype>
874 Mark the beginning of a backend definition. <databasetype>
875 should be one of bdb, config, dnssrv, hdb, ldap, ldif, mdb,
876 meta, monitor, null, passwd, perl, relay, shell, or sql,
877 depending on which backend will serve the database.
878
881 Options in this section only apply to the configuration file section
882 for the database in which they are defined. They are supported by
883 every type of backend. Note that the database and at least one suffix
884 option are mandatory for each database.
885 database <databasetype>
887 Mark the beginning of a new database instance definition.
888 <databasetype> should be one of bdb, config, dnssrv, hdb, ldap,
889 ldif, mdb, meta, monitor, null, passwd, perl, relay, shell, or
890 sql, depending on which backend will serve the database.
891 LDAP operations, even subtree searches, normally access only one
893 database. That can be changed by gluing databases together with
894 the subordinate keyword. Access controls and some overlays can
895 also involve multiple databases.
896 add_content_acl on | off
898 Controls whether Add operations will perform ACL checks on the
899 content of the entry being added. This check is off by default.
900 See the slapd.access(5) manual page for more details on ACL
901 requirements for Add operations.
902 extra_attrs <attrlist>
904 Lists what attributes need to be added to search requests.
905 Local storage backends return the entire entry to the frontend.
906 The frontend takes care of only returning the requested
907 attributes that are allowed by ACLs. However, features like
908 access checking and so may need specific attributes that are not
909 automatically returned by remote storage backends, like proxy
910 backends and so on. <attrlist> is a list of attributes that are
911 needed for internal purposes and thus always need to be
912 collected, even when not explicitly requested by clients.
913 hidden on | off
915 Controls whether the database will be used to answer queries. A
916 database that is hidden will never be selected to answer any
917 queries, and any suffix configured on the database will be
918 ignored in checks for conflicts with other databases. By
919 default, hidden is off.
920 lastmod on | off
922 Controls whether slapd will automatically maintain the
923 modifiersName, modifyTimestamp, creatorsName, and
924 createTimestamp attributes for entries. It also controls the
925 entryCSN and entryUUID attributes, which are needed by the
926 syncrepl provider. By default, lastmod is on.
927 limits <selector> <limit> [<limit> [...]]
929 Specify time and size limits based on the operation's initiator
930 or base DN. The argument <selector> can be any of
931 anonymous | users | [<dnspec>=]<pattern> |
933 group[/oc[/at]]=<pattern>
934 with
936 <dnspec> ::= dn[.<type>][.<style>]
938 <type> ::= self | this
940 <style> ::= exact | base | onelevel | subtree | children
942 | regex | anonymous
943 DN type self is the default and means the bound user, while this
945 means the base DN of the operation. The term anonymous matches
946 all unauthenticated clients. The term users matches all
947 authenticated clients; otherwise an exact dn pattern is assumed
948 unless otherwise specified by qualifying the (optional) key
949 string dn with exact or base (which are synonyms), to require an
950 exact match; with onelevel, to require exactly one level of
951 depth match; with subtree, to allow any level of depth match,
952 including the exact match; with children, to allow any level of
953 depth match, not including the exact match; regex explicitly
954 requires the (default) match based on POSIX (''extended'')
955 regular expression pattern. Finally, anonymous matches unbound
956 operations; the pattern field is ignored. The same behavior is
957 obtained by using the anonymous form of the <selector> clause.
958 The term group, with the optional objectClass oc and
959 attributeType at fields, followed by pattern, sets the limits
960 for any DN listed in the values of the at attribute (default
961 member) of the oc group objectClass (default groupOfNames) whose
962 DN exactly matches pattern.
963 The currently supported limits are size and time.
965 The syntax for time limits is time[.{soft|hard}]=<integer>,
967 where integer is the number of seconds slapd will spend
968 answering a search request. If no time limit is explicitly
969 requested by the client, the soft limit is used; if the
970 requested time limit exceeds the hard limit, the value of the
971 limit is used instead. If the hard limit is set to the keyword
972 soft, the soft limit is used in either case; if it is set to the
973 keyword unlimited, no hard limit is enforced. Explicit requests
974 for time limits smaller or equal to the hard limit are honored.
975 If no limit specifier is set, the value is assigned to the soft
976 limit, and the hard limit is set to soft, to preserve the
977 original behavior.
978 The syntax for size limits is
980 size[.{soft|hard|unchecked}]=<integer>, where integer is the
981 maximum number of entries slapd will return answering a search
982 request. If no size limit is explicitly requested by the
983 client, the soft limit is used; if the requested size limit
984 exceeds the hard limit, the value of the limit is used instead.
985 If the hard limit is set to the keyword soft, the soft limit is
986 used in either case; if it is set to the keyword unlimited, no
987 hard limit is enforced. Explicit requests for size limits
988 smaller or equal to the hard limit are honored. The unchecked
989 specifier sets a limit on the number of candidates a search
990 request is allowed to examine. The rationale behind it is that
991 searches for non-properly indexed attributes may result in large
992 sets of candidates, which must be examined by slapd(8) to
993 determine whether they match the search filter or not. The
994 unchecked limit provides a means to drop such operations before
995 they are even started. If the selected candidates exceed the
996 unchecked limit, the search will abort with Unwilling to
997 perform. If it is set to the keyword unlimited, no limit is
998 applied (the default). If it is set to disabled, the search is
999 not even performed; this can be used to disallow searches for a
1000 specific set of users. If no limit specifier is set, the value
1001 is assigned to the soft limit, and the hard limit is set to
1002 soft, to preserve the original behavior.
1003 In case of no match, the global limits are used. The default
1005 values are the same as for sizelimit and timelimit; no limit is
1006 set on unchecked.
1007 If pagedResults control is requested, the hard size limit is
1009 used by default, because the request of a specific page size is
1010 considered an explicit request for a limitation on the number of
1011 entries to be returned. However, the size limit applies to the
1012 total count of entries returned within the search, and not to a
1013 single page. Additional size limits may be enforced; the syntax
1014 is size.pr={<integer>|noEstimate|unlimited}, where integer is
1015 the max page size if no explicit limit is set; the keyword
1016 noEstimate inhibits the server from returning an estimate of the
1017 total number of entries that might be returned (note: the
1018 current implementation does not return any estimate). The
1019 keyword unlimited indicates that no limit is applied to the
1020 pagedResults control page size. The syntax
1021 size.prtotal={<integer>|unlimited|disabled} allows to set a
1022 limit on the total number of entries that a pagedResults control
1023 allows to return. By default it is set to the hard limit. When
1024 set, integer is the max number of entries that the whole search
1025 with pagedResults control can return. Use unlimited to allow
1026 unlimited number of entries to be returned, e.g. to allow the
1027 use of the pagedResults control as a means to circumvent size
1028 limitations on regular searches; the keyword disabled disables
1029 the control, i.e. no paged results can be returned. Note that
1030 the total number of entries returned when the pagedResults
1031 control is requested cannot exceed the hard size limit of
1032 regular searches unless extended by the prtotal switch.
1033 The limits statement is typically used to let an unlimited
1035 number of entries be returned by searches performed with the
1036 identity used by the consumer for synchronization purposes by
1037 means of the RFC 4533 LDAP Content Synchronization protocol (see
1038 syncrepl for details).
1039 maxderefdepth <depth>
1041 Specifies the maximum number of aliases to dereference when
1042 trying to resolve an entry, used to avoid infinite alias loops.
1043 The default is 15.
1044 mirrormode on | off
1046 This option puts a replica database into "mirror" mode. Update
1047 operations will be accepted from any user, not just the
1048 updatedn. The database must already be configured as a syncrepl
1049 consumer before this keyword may be set. This mode also requires
1050 a serverID (see above) to be configured. By default, mirrormode
1051 is off.
1052 monitoring on | off
1054 This option enables database-specific monitoring in the entry
1055 related to the current database in the "cn=Databases,cn=Monitor"
1056 subtree of the monitor database, if the monitor database is
1057 enabled. Currently, only the BDB and the HDB databases provide
1058 database-specific monitoring. The default depends on the
1059 backend type.
1060 overlay <overlay-name>
1062 Add the specified overlay to this database. An overlay is a
1063 piece of code that intercepts database operations in order to
1064 extend or change them. Overlays are pushed onto a stack over the
1065 database, and so they will execute in the reverse of the order
1066 in which they were configured and the database itself will
1067 receive control last of all. See the slapd.overlays(5) manual
1068 page for an overview of the available overlays. Note that all
1069 of the database's regular settings should be configured before
1070 any overlay settings.
1071 readonly on | off
1073 This option puts the database into "read-only" mode. Any
1074 attempts to modify the database will return an "unwilling to
1075 perform" error. By default, readonly is off.
1076 restrict <oplist>
1078 Specify a whitespace separated list of operations that are
1079 restricted. If defined inside a database specification,
1080 restrictions apply only to that database, otherwise they are
1081 global. Operations can be any of add, bind, compare, delete,
1082 extended[=<OID>], modify, rename, search, or the special pseudo-
1083 operations read and write, which respectively summarize read and
1084 write operations. The use of restrict write is equivalent to
1085 readonly on (see above). The extended keyword allows to
1086 indicate the OID of the specific operation to be restricted.
1087 rootdn <dn>
1089 Specify the distinguished name that is not subject to access
1090 control or administrative limit restrictions for operations on
1091 this database. This DN may or may not be associated with an
1092 entry. An empty root DN (the default) specifies no root access
1093 is to be granted. It is recommended that the rootdn only be
1094 specified when needed (such as when initially populating a
1095 database). If the rootdn is within a namingContext (suffix) of
1096 the database, a simple bind password may also be provided using
1097 the rootpw directive. Many optional features, including
1098 syncrepl, require the rootdn to be defined for the database.
1099 rootpw <password>
1101 Specify a password (or hash of the password) for the rootdn.
1102 The password can only be set if the rootdn is within the
1103 namingContext (suffix) of the database. This option accepts all
1104 RFC 2307 userPassword formats known to the server (see
1105 password-hash description) as well as cleartext. slappasswd(8)
1106 may be used to generate a hash of a password. Cleartext and
1107 {CRYPT} passwords are not recommended. If empty (the default),
1108 authentication of the root DN is by other means (e.g. SASL).
1109 Use of SASL is encouraged.
1110 suffix <dn suffix>
1112 Specify the DN suffix of queries that will be passed to this
1113 backend database. Multiple suffix lines can be given and at
1114 least one is required for each database definition.
1115 If the suffix of one database is "inside" that of another, the
1117 database with the inner suffix must come first in the
1118 configuration file. You may also want to glue such databases
1119 together with the subordinate keyword.
1120 subordinate [advertise]
1122 Specify that the current backend database is a subordinate of
1123 another backend database. A subordinate database may have only
1124 one suffix. This option may be used to glue multiple databases
1125 into a single namingContext. If the suffix of the current
1126 database is within the namingContext of a superior database,
1127 searches against the superior database will be propagated to the
1128 subordinate as well. All of the databases associated with a
1129 single namingContext should have identical rootdns. Behavior of
1130 other LDAP operations is unaffected by this setting. In
1131 particular, it is not possible to use moddn to move an entry
1132 from one subordinate to another subordinate within the
1133 namingContext.
1134 If the optional advertise flag is supplied, the naming context
1136 of this database is advertised in the root DSE. The default is
1137 to hide this database context, so that only the superior context
1138 is visible.
1139 If the slap tools slapcat(8), slapadd(8), or slapindex(8) are
1141 used on the superior database, any glued subordinates that
1142 support these tools are opened as well.
1143 Databases that are glued together should usually be configured
1145 with the same indices (assuming they support indexing), even for
1146 attributes that only exist in some of these databases. In
1147 general, all of the glued databases should be configured as
1148 similarly as possible, since the intent is to provide the
1149 appearance of a single directory.
1150 Note that the subordinate functionality is implemented
1152 internally by the glue overlay and as such its behavior will
1153 interact with other overlays in use. By default, the glue
1154 overlay is automatically configured as the last overlay on the
1155 superior backend. Its position on the backend can be explicitly
1156 configured by setting an overlay glue directive at the desired
1157 position. This explicit configuration is necessary e.g. when
1158 using the syncprov overlay, which needs to follow glue in order
1159 to work over all of the glued databases. E.g.
1160 database bdb
1161 suffix dc=example,dc=com
1162 ...
1163 overlay glue
1164 overlay syncprov
1165 sync_use_subentry
1167 Store the syncrepl contextCSN in a subentry instead of the
1168 context entry of the database. The subentry's RDN will be
1169 "cn=ldapsync". By default the contextCSN is stored in the
1170 context entry.
1171 syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port]
1173 searchbase=<base DN> [type=refreshOnly|refreshAndPersist]
1174 [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of
1175 retries>]+] [filter=<filter str>] [scope=sub|one|base|subord]
1176 [attrs=<attr list>] [exattrs=<attr list>] [attrsonly]
1177 [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off]
1178 [network-timeout=<seconds>] [timeout=<seconds>]
1179 [bindmethod=simple|sasl] [binddn=<dn>] [saslmech=<mech>]
1180 [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
1181 [realm=<realm>] [secprops=<properties>]
1182 [keepalive=<idle>:<probes>:<interval>] [starttls=yes|critical]
1183 [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>]
1184 [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand]
1185 [tls_cipher_suite=<ciphers>] [tls_crlcheck=none|peer|all]
1186 [tls_protocol_min=<major>[.<minor>]] [suffixmassage=<real DN>]
1187 [logbase=<base DN>] [logfilter=<filter str>]
1188 [syncdata=default|accesslog|changelog]
1189 Specify the current database as a replica which is kept up-to-
1190 date with the master content by establishing the current
1191 slapd(8) as a replication consumer site running a syncrepl
1192 replication engine. The replica content is kept synchronized to
1193 the master content using the LDAP Content Synchronization
1194 protocol. Refer to the "OpenLDAP Administrator's Guide" for
1195 detailed information on setting up a replicated slapd directory
1196 service using the syncrepl replication engine.
1197 rid identifies the current syncrepl directive within the
1199 replication consumer site. It is a non-negative integer not
1200 greater than 999 (limited to three decimal digits).
1201 provider specifies the replication provider site containing the
1203 master content as an LDAP URI. If <port> is not given, the
1204 standard LDAP port number (389 or 636) is used.
1205 The content of the syncrepl replica is defined using a search
1207 specification as its result set. The consumer slapd will send
1208 search requests to the provider slapd according to the search
1209 specification. The search specification includes searchbase,
1210 scope, filter, attrs, attrsonly, sizelimit, and timelimit
1211 parameters as in the normal search specification. The scope
1212 defaults to sub, the filter defaults to (objectclass=*), while
1213 there is no default searchbase. The attrs list defaults to "*,+"
1214 to return all user and operational attributes, and attrsonly is
1215 unset by default. The sizelimit and timelimit only accept
1216 "unlimited" and positive integers, and both default to
1217 "unlimited". The sizelimit and timelimit parameters define a
1218 consumer requested limitation on the number of entries that can
1219 be returned by the LDAP Content Synchronization operation; as
1220 such, it is intended to implement partial replication based on
1221 the size of the replicated database and on the time required by
1222 the synchronization. Note, however, that any provider-side
1223 limits for the replication identity will be enforced by the
1224 provider regardless of the limits requested by the LDAP Content
1225 Synchronization operation, much like for any other search
1226 operation. exattrs option may also be used to specify
1227 attributes that should be omitted from incoming entries. The
1228 scope defaults to sub, the filter defaults to (objectclass=*),
1229 and there is no default searchbase. The attrs list defaults to
1230 "*,+" to return all user and operational attributes, and
1231 attrsonly and exattrs are unset by default. The sizelimit and
1232 timelimit only accept "unlimited" and positive integers, and
1233 both default to "unlimited". Note, however, that any provider-
1234 side limits for the replication identity will be enforced by the
1235 provider regardless of the limits requested by the LDAP Content
1236 Synchronization operation, much like for any other search
1237 operation.
1238 The LDAP Content Synchronization protocol has two operation
1240 types. In the refreshOnly operation, the next synchronization
1241 search operation is periodically rescheduled at an interval time
1242 (specified by interval parameter; 1 day by default) after each
1243 synchronization operation finishes. In the refreshAndPersist
1244 operation, a synchronization search remains persistent in the
1245 provider slapd. Further updates to the master replica will
1246 generate searchResultEntry to the consumer slapd as the search
1247 responses to the persistent synchronization search.
1248 If an error occurs during replication, the consumer will attempt
1250 to reconnect according to the retry parameter which is a list of
1251 the <retry interval> and <# of retries> pairs. For example,
1252 retry="60 10 300 3" lets the consumer retry every 60 seconds for
1253 the first 10 times and then retry every 300 seconds for the next
1254 3 times before stop retrying. The `+' in <# of retries> means
1255 indefinite number of retries until success. If no retry was
1256 specified, by default syncrepl retries every hour forever.
1257 The schema checking can be enforced at the LDAP Sync consumer
1259 site by turning on the schemachecking parameter. The default is
1260 off. Schema checking on means that replicated entries must have
1261 a structural objectClass, must obey to objectClass requirements
1262 in terms of required/allowed attributes, and that naming
1263 attributes and distinguished values must be present. As a
1264 consequence, schema checking should be off when partial
1265 replication is used.
1266 The network-timeout parameter sets how long the consumer will
1268 wait to establish a network connection to the provider. Once a
1269 connection is established, the timeout parameter determines how
1270 long the consumer will wait for the initial Bind request to
1271 complete. The defaults for these parameters come from
1272 ldap.conf(5).
1273 A bindmethod of simple requires the options binddn and
1275 credentials and should only be used when adequate security
1276 services (e.g. TLS or IPSEC) are in place. REMEMBER: simple
1277 bind credentials must be in cleartext! A bindmethod of sasl
1278 requires the option saslmech. Depending on the mechanism, an
1279 authentication identity and/or credentials can be specified
1280 using authcid and credentials. The authzid parameter may be
1281 used to specify an authorization identity. Specific security
1282 properties (as with the sasl-secprops keyword above) for a SASL
1283 bind can be set with the secprops option. A non default SASL
1284 realm can be set with the realm option. The identity used for
1285 synchronization by the consumer should be allowed to receive an
1286 unlimited number of entries in response to a search request.
1287 The provider, other than allow authentication of the syncrepl
1288 identity, should grant that identity appropriate access
1289 privileges to the data that is being replicated (access
1290 directive), and appropriate time and size limits. This can be
1291 accomplished by either allowing unlimited sizelimit and
1292 timelimit, or by setting an appropriate limits statement in the
1293 consumer's configuration (see sizelimit and limits for details).
1294 The keepalive parameter sets the values of idle, probes, and
1296 interval used to check whether a socket is alive; idle is the
1297 number of seconds a connection needs to remain idle before TCP
1298 starts sending keepalive probes; probes is the maximum number of
1299 keepalive probes TCP should send before dropping the connection;
1300 interval is interval in seconds between individual keepalive
1301 probes. Only some systems support the customization of these
1302 values; the keepalive parameter is ignored otherwise, and
1303 system-wide settings are used.
1304 The starttls parameter specifies use of the StartTLS extended
1306 operation to establish a TLS session before Binding to the
1307 provider. If the critical argument is supplied, the session will
1308 be aborted if the StartTLS request fails. Otherwise the syncrepl
1309 session continues without TLS. The tls_reqcert setting defaults
1310 to "demand" and the other TLS settings default to the same as
1311 the main slapd TLS settings.
1312 The suffixmassage parameter allows the consumer to pull entries
1314 from a remote directory whose DN suffix differs from the local
1315 directory. The portion of the remote entries' DNs that matches
1316 the searchbase will be replaced with the suffixmassage DN.
1317 Rather than replicating whole entries, the consumer can query
1319 logs of data modifications. This mode of operation is referred
1320 to as delta syncrepl. In addition to the above parameters, the
1321 logbase and logfilter parameters must be set appropriately for
1322 the log that will be used. The syncdata parameter must be set to
1323 either "accesslog" if the log conforms to the slapo-accesslog(5)
1324 log format, or "changelog" if the log conforms to the obsolete
1325 changelog format. If the syncdata parameter is omitted or set to
1326 "default" then the log parameters are ignored.
1327 updatedn <dn>
1329 This option is only applicable in a slave database. It
1330 specifies the DN permitted to update (subject to access
1331 controls) the replica. It is only needed in certain push-mode
1332 replication scenarios. Generally, this DN should not be the
1333 same as the rootdn used at the master.
1334 updateref <url>
1336 Specify the referral to pass back when slapd(8) is asked to
1337 modify a replicated local database. If specified multiple
1338 times, each url is provided.
1339
1342 Each database may allow specific configuration options; they are
1343 documented separately in the backends' manual pages. See the
1344 slapd.backends(5) manual page for an overview of available backends.
1345
1347 Here is a short example of a configuration file:
1348 include /etc/openldap/schema/core.schema
1350 pidfile /var/run/slapd.pid
1351 # Subtypes of "name" (e.g. "cn" and "ou") with the
1353 # option ";x-hidden" can be searched for/compared,
1354 # but are not shown. See slapd.access(5).
1355 attributeoptions x-hidden lang-
1356 access to attrs=name;x-hidden by * =cs
1357 # Protect passwords. See slapd.access(5).
1359 access to attrs=userPassword by * auth
1360 # Read access to other attributes and entries.
1361 access to * by * read
1362 database bdb
1364 suffix "dc=our-domain,dc=com"
1365 # The database directory MUST exist prior to
1366 # running slapd AND should only be accessible
1367 # by the slapd/tools. Mode 0700 recommended.
1368 directory /var/openldap-data
1369 # Indices to maintain
1370 index objectClass eq
1371 index cn,sn,mail pres,eq,approx,sub
1372 # We serve small clients that do not handle referrals,
1374 # so handle remote lookups on their behalf.
1375 database ldap
1376 suffix ""
1377 uri ldap://ldap.some-server.com/
1378 lastmod off
1379 "OpenLDAP Administrator's Guide" contains a longer annotated example of
1381 a configuration file. The original /etc/openldap/slapd.conf is another
1382 example.
1383
1385 /etc/openldap/slapd.conf
1386 default slapd configuration file
1387
1389 ldap(3), gnutls-cli(1), slapd-config(5), slapd.access(5),
1390 slapd.backends(5), slapd.overlays(5), slapd.plugin(5), slapd(8),
1391 slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
1392 slapindex(8), slappasswd(8), slaptest(8).
1393 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
1395
1397 OpenLDAP Software is developed and maintained by The OpenLDAP Project
1398 <http://www.openldap.org/>. OpenLDAP Software is derived from
1399 University of Michigan LDAP 3.3 Release.
1400OpenLDAP 2.4.44 2016/02/05 SLAPD.CONF(5)